BlackEnergy APT Attacks in Ukraine

VIRUS DEFINITION

Virus Type:
Spyware, Advanced Persistent Threat (APT), Trojan

What is BlackEnergy?

BlackEnergy is a Trojan that is used to conduct DDoS attacks, cyber espionage and information destruction attacks. In 2014 (approximately) a specific user group of BlackEnergy attackers began deploying SCADA-related plugins to victims in the ICS (Industrial Control Systems) and energy markets around the world. This indicated a unique skillset, well above the average DDoS botnet master.

Since mid-2015, the BlackEnergy APT group has been actively using spear-phishing emails carrying malicious Excel documents with macros to infect computers in a targeted network. However, in January this year, Kaspersky Lab researchers discovered a new malicious document, which infects the system with a BlackEnergy Trojan. Unlike the Excel documents used in previous attacks, this was a Microsoft Word document.

Upon opening the document, the user is presented with a dialog recommending that macros should be enabled in order to view the content. Enabling the macros triggers the BlackEnergy malware infection.

Who are the victims of its attacks?

The BlackEnergy APT group is active in the following sectors:

ICS, energy, government and media in Ukraine

ICS/SCADA companies worldwide

Energy companies worldwide

Am I at risk?

The group is active against Ukrainian entities, especially those in the energy sector, government and media. It also attacks ISC/SCADA and energy companies worldwide. You could be at risk if you work, own, or cooperate with organizations of this kind.

How do I know if I’m infected?

Kaspersky Lab products detect the various Trojans used by BlackEnergy as: